EquationDrug, the main platform that has been used by the nation-state cyber-espionage actor Equation Group, has been in use for more than 10 years—but a fresh analysis from Kaspersky Lab shows that its evolution exemplifies an emerging trend. Nation-state attacks are becoming more sophisticated, targeting carefully defined victims with customized, complex, modular tools, extracting large volumes of valuable information.
Equation Group has been engaged in multiple computer network exploitation operations dating back to 2001, and perhaps as early as 1996. EquationDrug, which is still in use, dates back to 2003 (although it is being replaced by the more modern GrayFish platform).
Its default iteration includes basic functions like file collection and the ability to take screenshots. But, Kaspersky’s analysis shows that it can be extended through plugins (or modules). In all, the firm discovered dozens of them, and each is a sophisticated element that can communicate with the core and become aware of the availability of other plugins.
The plugins that it discovered also probably represent just a fraction of the attackers' potential—Kaspersky estimated that 86 modules have yet to be discovered.
Taken together, the EquationDrug platform includes dozens of executables, configurations and protected storage locations, Kaspersky said. The architecture of the whole framework resembles a mini-operating system with kernel-mode and user-mode components that are “as sophisticated as a space station.”
“It's important to note that EquationDrug is not just a Trojan, but a full espionage platform, which includes a framework for conducting cyber-espionage activities by deploying specific modules on the machines of selected victims,” Kaspersky said in a technical analysis.
The EquationDrug case demonstrates a growth in code sophistication as nation-state attackers look for better stability, invisibility, reliability and universality in their cyber-espionage tools.
“Nation-state attackers are looking to create more stable, invisible, reliable and universal cyber-espionage tools,” said Costin Raiu, director of the global research and analysis team at Kaspersky Lab, in an email. “They are focused on creating frameworks for wrapping such code into something that can be customized on live systems and provide a reliable way to store all components and data in encrypted form, inaccessible to regular users. Sophistication of the framework makes this type of actor different from traditional cyber-criminals, who prefer to focus on payload and malware capabilities designed for direct financial gains.”
While traditional cyber-criminals mass-distribute emails with malicious attachments or infect websites on a large scale, nation-states create automatic systems infecting only selected users. And while traditional cyber-criminals typically reuse one malicious file for all victims, nation-states prepare malware unique to each victim and even implement restrictions preventing decryption and execution outside of the target computer.
Overall, Kaspersky hypothesizes that EquationDrug’s development may go back as far as the '90s, making Equation Group one of the longest-lasting spy rings around.
“Some code paths in EquationDrug modules lead to OS version checks including a test for Windows 95, which is accepted as one of the supported platforms,” the firm said. “While some other checks will not pass on Windows 95, the presence of this code means that this OS was supported in some earlier variants of the malware. Considering this and the existence of components designed to run on Windows 9x (such as VXD-files), as well as compilation timestamps dating back to the early 2000s, the hypothesis that these attackers have been active since the '90s seems realistic. This makes the current attacker an outstanding actor operating longer than any other in the field.”